Case study: Water security & desalination — a leading organization's implementation and lessons learned

In 2024, the European Environment Agency reported that 30% of Europe's population lives in water-stressed regions, with Mediterranean countries experiencing their driest conditions in over 500 years. Against this backdrop, desalination has emerged as a critical infrastructure solution—yet with increased digitization comes unprecedented cybersecurity vulnerabilities. A 2025 study by the European Union Agency for Cybersecurity (ENISA) revealed that water utilities experienced a 47% increase in cyberattacks compared to 2023, with operational technology (OT) systems representing the primary attack surface. This case study examines how leading European water organizations have implemented comprehensive security frameworks, the attack vectors they've encountered, and the lessons learned from hardening these essential systems against both physical and digital threats.

Why It Matters

Water security represents one of the most pressing challenges facing European policymakers, utility operators, and sustainability practitioners in 2024-2025. The convergence of climate change-induced water scarcity, aging infrastructure, and accelerating digital transformation has created a perfect storm of vulnerabilities that threat actors are increasingly exploiting.

The statistics paint a sobering picture. According to the European Commission's 2024 Water Scarcity Report, desalination capacity in the EU reached 2.3 billion cubic meters annually, representing a 23% increase from 2020 levels. Spain alone operates over 765 desalination plants, producing approximately 5 million cubic meters of freshwater daily and supplying 9% of the country's total water demand. The Mediterranean region's dependence on desalination is projected to double by 2030, making these facilities increasingly attractive targets for malicious actors.

The cybersecurity dimension cannot be overstated. The 2021 Oldsmar water treatment facility attack in the United States—where an attacker attempted to increase sodium hydroxide levels to dangerous concentrations—served as a wake-up call for the global water sector. In Europe, the NIS2 Directive, which came into full effect in October 2024, specifically classifies water supply and wastewater management as essential services requiring enhanced cybersecurity measures. Non-compliance penalties can reach €10 million or 2% of annual turnover, creating both regulatory and financial imperatives for robust security implementations.

The European Investment Bank committed €4.2 billion to water infrastructure projects in 2024, with approximately 15% allocated specifically to cybersecurity upgrades and operational technology hardening. This investment reflects growing recognition that water security encompasses not merely availability and quality, but also the resilience of digital systems controlling treatment, distribution, and monitoring operations.

For sustainability professionals, the intersection of water security and cybersecurity represents a critical knowledge gap. Traditional environmental risk assessments often overlook digital attack vectors, while IT security teams may lack domain expertise in industrial control systems specific to water treatment and desalination. Bridging this gap requires understanding both the technical vulnerabilities and the operational contexts in which they exist.

Key Concepts

Water Security encompasses the reliable availability of acceptable quantity and quality of water for health, livelihoods, ecosystems, and production, coupled with acceptable levels of water-related risks. In the context of critical infrastructure protection, water security extends beyond hydrological considerations to include the integrity of control systems, the confidentiality of operational data, and the availability of treatment and distribution services. The UN-Water definition emphasizes that water security requires managing risks across the entire water cycle, from source to consumption and beyond.

Traceability in water systems refers to the ability to track and verify the origin, treatment history, and distribution pathway of water resources. Modern traceability systems integrate sensor networks, blockchain-based verification, and real-time monitoring platforms to ensure chain-of-custody documentation. For desalination facilities, traceability encompasses membrane performance metrics, chemical dosing records, and energy consumption patterns—all of which generate data streams that require protection from manipulation or unauthorized access.

Scenario Analysis represents a structured methodology for evaluating potential future states and their implications for decision-making. In water security contexts, scenario analysis models drought conditions, demand fluctuations, infrastructure failures, and cyberattack impacts. The European Commission's PESETA IV project employs scenario analysis to project water availability under various climate pathways, while cybersecurity frameworks like MITRE ATT&CK for Industrial Control Systems provide scenario templates for threat modeling water infrastructure.

Critical Infrastructure designates assets, systems, and networks whose incapacitation or destruction would have significant adverse effects on essential societal functions, health, safety, security, or economic well-being. Under the EU's Critical Entities Resilience Directive (CER), water supply operators must conduct risk assessments, implement resilience measures, and report incidents to competent authorities. The directive recognizes that interconnected infrastructure systems create cascading vulnerability chains—a cyberattack on water systems can affect healthcare, food production, and energy generation.

Water Scarcity occurs when water demand exceeds available supply during a given period or when poor quality restricts use. The Water Exploitation Index Plus (WEI+) measures the ratio of total freshwater use to renewable freshwater resources. Southern European regions regularly exceed the 20% threshold indicating water stress, with Cyprus, Malta, and parts of Spain experiencing WEI+ values above 40%. Desalination addresses water scarcity by creating location-independent freshwater production capacity, but simultaneously introduces new dependencies on energy systems and digital controls.

What's Working and What Isn't

What's Working

Integrated Security Operations Centers (SOCs) for Water Utilities: Canal de Isabel II, Madrid's primary water utility serving 6.5 million residents, established a dedicated Security Operations Center in 2023 that monitors both IT and OT environments. The SOC integrates feeds from 2,400 remote sensors, SCADA systems, and enterprise networks into a unified security information and event management (SIEM) platform. In its first year of operation, the SOC detected and contained 47 attempted intrusions before they could affect operational systems. The key success factor was co-locating cybersecurity analysts with process engineers, enabling rapid contextualization of anomalies that might appear benign to IT-focused analysts but indicate significant OT concerns.

Air-Gapped Backup Control Systems: IDE Technologies, an Israeli-founded company operating major desalination facilities across Europe including the 200,000 cubic meters per day Barcelona desalination plant, implemented physically isolated backup control systems that can assume operations within 15 minutes of primary system compromise. These backup systems maintain manual override capabilities and are updated through secure, unidirectional data transfer protocols. During a 2024 ransomware attempt targeting the Barcelona facility's IT network, operators seamlessly transitioned to backup controls while the primary systems were forensically analyzed, maintaining continuous water production throughout the incident.

Zero Trust Architecture Implementation: Thames Water, serving 15 million customers across London and the Thames Valley, completed a comprehensive Zero Trust implementation in 2024 covering both enterprise IT and operational technology networks. The architecture requires continuous verification of every user, device, and network flow attempting to access water treatment and distribution systems. Network segmentation isolates individual treatment plants from each other and from corporate networks, limiting lateral movement opportunities. Post-implementation metrics showed a 73% reduction in successful phishing-initiated compromises and complete elimination of unauthorized remote access incidents.

Sector-Wide Threat Intelligence Sharing: The European Water Sector ISAC (Information Sharing and Analysis Center), established in 2023 under the auspices of the European Drinking Water Directive, now includes 340 utilities across 24 member states. Participating utilities share indicators of compromise, threat actor tactics, and vulnerability information through a standardized protocol. In 2024, the ISAC distributed 1,247 actionable threat alerts, with an average time from initial detection to sector-wide notification of 4.2 hours. This collaborative approach has proven particularly effective against coordinated campaigns targeting multiple utilities simultaneously.

What Isn't Working

Legacy SCADA System Vulnerabilities: A 2024 audit by the European Court of Auditors found that 67% of EU water utilities still operate SCADA systems with components manufactured before 2010, many running unsupported operating systems like Windows XP Embedded. These legacy systems often lack encryption capabilities, use default credentials, and cannot be patched without extensive—and expensive—testing to ensure process stability. The audit identified 23 desalination facilities where control systems were directly accessible from the internet, representing critical exposure points that threat actors have actively probed.

Fragmented Regulatory Compliance: Despite the NIS2 Directive's harmonization efforts, water utilities face overlapping and sometimes contradictory requirements from cybersecurity, environmental, and drinking water quality regulations. A utility in the Netherlands, for example, must comply with NIS2 cybersecurity requirements, the Dutch Drinking Water Decree, GDPR for customer data, and the Critical Entities Resilience Directive—each with different reporting timelines, risk assessment methodologies, and competent authorities. This fragmentation diverts resources from security implementation to compliance documentation and creates gaps where responsibilities remain unclear.

Insufficient OT Security Expertise: The water sector faces acute shortages of personnel with combined expertise in process engineering and cybersecurity. A 2024 survey by the European Water Association found that only 12% of water utilities had dedicated OT security staff, with most relying on IT departments lacking industrial control system experience or external consultants engaged on a project basis. This expertise gap manifests in security controls that impede operations (leading to workarounds that create vulnerabilities) or operational configurations that ignore security implications (such as enabling remote maintenance access without authentication).

Vendor Dependency and Supply Chain Risks: Major desalination plant operators depend on a concentrated group of vendors for membrane technology, control systems, and maintenance services. Compromise of these vendors' systems could provide attackers with privileged access to multiple facilities. The 2024 compromise of a European industrial automation vendor's software update mechanism, while not specifically targeting water utilities, demonstrated how supply chain attacks could propagate to hundreds of facilities within hours. Current vendor management practices in the water sector rarely include rigorous security assessments or contractual security requirements.

Key Players

Established Leaders

Veolia Environnement (France): The world's largest water services company, Veolia operates desalination plants across Spain, the Middle East, and Africa, serving over 95 million people with drinking water globally. In 2024, Veolia invested €180 million in digital transformation including cybersecurity, establishing regional security operations centers and implementing AI-driven anomaly detection across its operational technology networks.

SUEZ (France): Following its 2022 restructuring, SUEZ maintains significant desalination operations in the Mediterranean region and has developed proprietary AQUADVANCED cybersecurity solutions specifically designed for water treatment environments. The company operates the Sur desalination plant in Oman (155,000 m³/day) and provides technology to numerous European facilities.

ACCIONA Agua (Spain): A leading desalination technology provider operating 75 water treatment plants globally, ACCIONA commissioned the Al Khobar 2 desalination plant in Saudi Arabia (210,000 m³/day) in 2024 and has pioneered renewable-powered desalination with its Puerto Errado solar thermal facility. The company's integrated approach to sustainability includes comprehensive cybersecurity frameworks mandated across all operations.

IDE Technologies (Israel/Global): IDE operates some of Europe's largest desalination facilities, including plants in Spain and Cyprus, and has developed advanced security protocols for reverse osmosis control systems. Their Sorek B facility in Israel, the world's largest seawater reverse osmosis plant at 627,000 m³/day, serves as a testbed for security innovations subsequently deployed at European installations.

Aqualia (Spain): As a subsidiary of FCC Group, Aqualia serves 43 million people across 17 countries and has invested heavily in smart water networks incorporating security-by-design principles. Their investment in secure digital twin technology enables threat modeling and incident response planning without exposing operational systems to risk.

Emerging Startups

TaKaDu (Israel/Europe): TaKaDu's cloud-based analytics platform detects anomalies in water network behavior that may indicate cyberattacks, leaks, or equipment failures. The platform analyzes data from existing sensors without requiring new hardware, making it deployable across legacy infrastructure. Thames Water and several German utilities have implemented TaKaDu's solutions.

Radiflow (Israel): Specializing exclusively in OT cybersecurity for critical infrastructure, Radiflow provides intrusion detection systems, secure remote access solutions, and risk assessment tools designed specifically for water treatment protocols. Their partnership with Siemens enables integrated security for widely deployed SIMATIC controllers.

Claroty (United States/Europe): Claroty's Continuous Threat Detection platform has gained significant adoption among European water utilities, providing visibility into asset inventories, vulnerability management, and real-time threat detection across OT networks. The company's 2024 acquisition of Medigate expanded capabilities into adjacent critical infrastructure sectors.

Waterfall Security Solutions (Israel): Waterfall's unidirectional security gateway technology enables safe data transfer from OT to IT networks while physically preventing any traffic from flowing back into control systems. Major desalination operators have adopted Waterfall gateways to protect SCADA historians and enable cloud-based analytics without exposing control networks.

Nozomi Networks (United States/Europe): Nozomi's Guardian platform provides AI-powered network monitoring specifically optimized for industrial protocols used in water treatment, including Modbus, DNP3, and IEC 61850. Their European headquarters in Switzerland supports growing adoption among utilities implementing NIS2 compliance programs.

Key Investors & Funders

European Investment Bank (EIB): The EIB committed €4.2 billion to water infrastructure in 2024, with increasing emphasis on cybersecurity resilience. Their Climate and Environment Framework allocates specific funding for digital security upgrades in water utilities transitioning to smart water networks.

Horizon Europe Programme: The EU's research and innovation programme has allocated €350 million to water security research in the 2024-2027 period, including dedicated calls for proposals addressing cybersecurity in water critical infrastructure. The WATERLINE consortium, funded with €12 million, is developing open-source security tools for small and medium water utilities.

Breakthrough Energy Ventures: Bill Gates' climate-focused fund has invested in several water technology startups with security-integrated approaches, including €40 million in advanced desalination membrane technology incorporating tamper-evident sensors.

XPV Water Partners: This Canadian-headquartered fund specifically targets water sector investments and has made significant European allocations, including cybersecurity-focused technologies. Their portfolio companies include multiple firms developing secure industrial control systems for water treatment.

Xylem Watermark Fund: Xylem's corporate venture arm invests in water technology innovation including security solutions, with a €100 million commitment through 2026 focused on sustainable and resilient water infrastructure.

Examples

Example 1: EMAYA's Palma de Mallorca Desalination Security Transformation

EMAYA (Empresa Municipal de Aguas y Alcantarillado), the municipal water utility for Palma de Mallorca, operates a 64,800 m³/day desalination plant critical to the island's water supply, particularly during tourist season when demand increases by 40%. Following a near-miss security incident in 2023 where unauthorized access to the plant's human-machine interface (HMI) was detected, EMAYA undertook a comprehensive security transformation.

The implementation included network segmentation isolating the desalination control network from corporate IT, deployment of industrial-specific intrusion detection systems, implementation of multi-factor authentication for all remote access, and establishment of a 24/7 monitoring capability through a shared services agreement with the Balearic Islands government. The project cost €2.3 million over 18 months, with 60% funded through EU Cohesion Policy instruments.

Post-implementation metrics demonstrated significant improvements: unauthorized access attempts decreased from 23 monthly incidents to zero, mean time to detect anomalies improved from 72 hours to 12 minutes, and the plant achieved NIS2 compliance six months ahead of the October 2024 deadline. The security transformation also yielded operational benefits, with improved network visibility enabling identification of inefficient pump operations that, when corrected, reduced energy consumption by 7%.

Example 2: Acuamed's Multi-Facility Security Integration Across Spain

Acuamed (Aguas de las Cuencas Mediterráneas), a Spanish state-owned company operating critical water infrastructure along the Mediterranean coast, manages four major desalination plants with combined capacity exceeding 250,000 m³/day. In response to increasing threat activity targeting Spanish critical infrastructure in 2023-2024, Acuamed implemented a unified security architecture across all facilities.

The integration project established a centralized Security Operations Center in Murcia monitoring all facilities, standardized security controls across previously heterogeneous plant configurations, implemented secure software-defined networking enabling rapid isolation of compromised segments, and deployed deception technology (honeypots mimicking SCADA components) to detect and characterize attackers' tactics.

The centralized approach reduced per-facility security monitoring costs by 45% while improving detection capabilities. During Q3 2024, the deception infrastructure captured detailed intelligence on an advanced persistent threat (APT) group systematically probing Spanish water infrastructure, enabling proactive defense measures before any operational impact occurred. The intelligence was shared through the European Water Sector ISAC, benefiting utilities across the continent.

Example 3: Athens Water Supply and Sewerage Company's Resilience Program

EYDAP (Athens Water Supply and Sewerage Company), serving 4.3 million residents in the Attica region, implemented a comprehensive water security resilience program in 2024 following European Commission recommendations and Greek national security directives. The program addressed both physical and cyber threats to water supply infrastructure, including the company's desalination and water treatment facilities.

Key elements included a scenario-based exercise program simulating combined physical-cyber attacks, implementation of redundant control capabilities with geographically separated backup systems, deployment of water quality sensors with cryptographic authentication to prevent data manipulation, and establishment of a dedicated incident response team with cross-training in both security and water treatment operations.

The program's effectiveness was tested during a simulated exercise in September 2024 involving a coordinated attack scenario: physical intrusion at a treatment facility combined with a ransomware attack on SCADA systems. The exercise revealed that while detection capabilities performed well (identifying both attack vectors within 8 minutes), coordination between physical security responders and cybersecurity teams required improvement. Subsequent protocol revisions and additional joint training resolved the identified gaps.

Action Checklist

FAQ

Q: How do cyberattacks on water infrastructure differ from attacks on typical IT systems? A: Attacks on water infrastructure operational technology (OT) systems differ fundamentally in their potential impacts and the constraints on defensive responses. While IT attacks typically target data confidentiality or service availability, OT attacks can directly affect physical processes—potentially altering water quality, causing equipment damage, or disrupting supply to populations. Defensive responses must account for safety-critical operations: unlike IT systems where immediate isolation is often appropriate, water treatment systems cannot simply be shut down without potentially serious public health consequences. Attackers may exploit this constraint, knowing that defenders cannot respond as aggressively as they might in purely IT contexts. Additionally, OT systems often use specialized protocols unfamiliar to IT security practitioners, operate on extended lifecycles (20+ years versus 3-5 years for IT), and may lack basic security features like encryption or authentication that are standard in modern IT environments.

Q: What are the primary attack vectors threatening European desalination facilities? A: European desalination facilities face several primary attack vectors. Remote access vulnerabilities represent the most commonly exploited path, with facilities often maintaining internet-accessible connections for vendor maintenance or remote monitoring without adequate authentication controls. Supply chain compromises through trusted vendors' software updates or hardware components provide sophisticated attackers with privileged access. Phishing attacks targeting employees with OT access can yield credentials enabling network traversal from IT to OT environments. Insider threats—whether malicious or inadvertent—pose significant risks given the specialized knowledge required to operate treatment systems. Physical access combined with cyber capabilities (cyber-physical attacks) enables installation of rogue devices or direct manipulation of control systems. Finally, ransomware specifically adapted for industrial environments, such as the EKANS/SNAKE malware family, can encrypt both IT and OT systems simultaneously, potentially halting operations until ransom is paid or systems are rebuilt.

Q: What compliance requirements does NIS2 impose on water utilities? A: The NIS2 Directive (Directive (EU) 2022/2555), which member states were required to transpose by October 17, 2024, classifies water supply and wastewater management as essential services subject to enhanced requirements. Water utilities must implement cybersecurity risk management measures including risk analysis and information system security policies, incident handling procedures, business continuity and crisis management capabilities, supply chain security practices, security in network and information system acquisition, policies on cryptography use, human resources security and access control policies, and multi-factor authentication implementations. Significant incidents must be reported to competent authorities within 24 hours (early warning), 72 hours (incident notification), and one month (final report). Management bodies must approve and supervise cybersecurity measures, undergo training, and can be held personally liable for compliance failures. Penalties for non-compliance can reach €10 million or 2% of global annual turnover for essential entities.

Q: How can small water utilities with limited resources improve their cybersecurity posture? A: Small water utilities face genuine resource constraints but can significantly improve their security posture through prioritized, incremental measures. First, joining the European Water Sector ISAC provides access to shared threat intelligence and best practices at minimal cost. Second, implementing basic network hygiene—changing default passwords, disabling unnecessary services, and restricting internet connectivity—addresses the most commonly exploited vulnerabilities. Third, participating in free or subsidized cybersecurity assessments offered through national cybersecurity centers (such as ANSSI in France or BSI in Germany) can identify critical vulnerabilities without internal expertise. Fourth, shared services models, where multiple small utilities pool resources for 24/7 monitoring through a managed security service provider, can achieve economies of scale. Fifth, Horizon Europe and national funding programs specifically support small utility cybersecurity improvements—the WATERLINE project, for example, is developing open-source security tools designed for utilities lacking commercial solution budgets. Prioritization should focus on preventing the most consequential impacts rather than achieving comprehensive security immediately.

Q: What role does artificial intelligence play in protecting water infrastructure? A: Artificial intelligence increasingly enhances both attack and defense capabilities in water infrastructure security. Defensive applications include AI-powered anomaly detection systems that establish baselines of normal OT network behavior and identify deviations potentially indicating intrusions—this is particularly valuable given the deterministic nature of water treatment processes, where unexpected communications patterns are highly suspicious. Machine learning models analyze security events across multiple utilities to identify coordinated campaigns and emerging threat patterns faster than human analysts. Predictive maintenance applications can distinguish between equipment degradation (requiring maintenance) and manipulation (requiring security response) by analyzing sensor data patterns. However, AI also creates new risks: adversarial machine learning techniques could potentially poison training data or evade detection models, and AI-generated phishing content is increasingly difficult for employees to recognize. Additionally, AI systems themselves become attack targets—if an adversary could manipulate the AI analyzing water quality data, they might mask contamination or create false positives causing unnecessary operational disruptions. Robust implementation requires treating AI systems as critical components requiring their own security protections.

Sources

European Environment Agency. (2024). Water resources across Europe: Confronting water stress. EEA Report No. 02/2024. Copenhagen: European Environment Agency.
European Union Agency for Cybersecurity (ENISA). (2025). Threat Landscape for the Water Sector 2024. Athens: ENISA.
European Commission. (2024). Implementation of the NIS2 Directive: Sector-Specific Guidance for Water Utilities. Brussels: Directorate-General for Communications Networks, Content and Technology.
European Court of Auditors. (2024). Special Report: Cybersecurity of Critical Water Infrastructure in the EU. Luxembourg: Publications Office of the European Union.
World Health Organization Regional Office for Europe. (2024). Water Safety in Buildings and Critical Infrastructure: Addressing Climate and Security Challenges. Copenhagen: WHO Europe.
International Desalination Association. (2024). IDA Desalination and Water Reuse Handbook: Security Considerations for Modern Facilities. Topsfield: International Desalination Association.
European Investment Bank. (2024). Water Sector Lending: 2024 Activity Report. Luxembourg: European Investment Bank.
Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS2 Directive). Official Journal of the European Union, L 333.